Healthcare data breaches caused by hacks are on the rise

Data breaches caused by hacking and so-called IT incidents are on the rise, with the number reported in 2017 to set out pace the number reported in 2016, according to data from HHS’ Office for Civil Rights.

Security experts said that’s because hacking has gotten easier and organizations are now reporting incidents they previously might have kept quiet about.

These trends come together in impressive numbers: Between the beginning of 2017 and Aug. 14, 2017, there were five hacking or IT incidents that have been resolved, according to the OCR’s breach portal, plus 76 more that are still under investigation. In all of 2016, there were 50 resolved hacking or IT incidents and 63 under investigation.

“You don’t need to be a hacker anymore,” said Bob Anderson, formerly of the FBI and now managing director in Navigant’s Global Legal Technology Solutions practice. “That’s a huge difference.”

Many of the attacks in the U.S. come from tools bought on the darknet or illicit websites, Anderson said, and there’s been a particular uptick in attacks that compromise email. To get access to an organization’s email system, a person might send an email with an attachment that’s a piece of nefarious software that gives the person access to the organization’s entire directory, which, in turn, likely contains at least one email password. These kinds of attacks may go unnoticed, he said, “because it’s not going to be like someone attacking an endpoint like in a traditional hack.”

Hackers who gain access to health systems’ files tend to be interested in protected health information, which they can sell on the darknet. “They’ll attack whatever part of the infrastructure that’s going to get them more money,” Anderson said.

As the frequency of attacks increases, so does the frequency of reporting.

“A lot of organizations are becoming more aware of their responsibility to report data breaches,” said Jeff Krull, a partner with Baker Tilly. “People are reporting things that maybe in the past they may not have known to report.”

In general, healthcare organizations have been improving their cybersecurity programs, said Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society. “Cybersecurity is taken more seriously, and healthcare organizations are making it a higher priority,” Kim said. “It is a business and clinical necessity.”

Still, cybersecurity spending makes up just a sliver of organizations’ budgets. Forty percent of respondents to a recent HIMSS survey said 1% to 2% of their organizations’ budgets goes to cybersecurity, and 32% said 3% to 6% goes to cybersecurity. More than a fifth of respondents didn’t know what percentage of their organizations’ budgets were spent on cybersecurity.

The key to preventing hacking and other IT incidents is a good response to attacks, said Richard Henderson, a global security strategist at Absolute. “You need to be able to detect attacks as fast as possible and then respond,” he said. “You’re not going to be perfect, so it’s how you respond to a breach that really dictates how egregious the offense is going to be.”

Organizations with chief information security officers may be better-equipped for that, according to the HIMSS survey, which showed that organizations with cybersecurity leaders tended to have better cybersecurity practices at the organization level compared with those who don’t have such leaders. For instance, 95% of organizations with security leaders reported using the NIST Cybersecurity Framework, compared to under a third of organizations without security leaders. Most organizations with cybersecurity leaders assessed cybersecurity as part of their due diligence for new products or services, while only 57% of those without security leaders conducted such assessments.

Such due diligence is growing increasingly important as connected devices become commonplace. “More and more stuff is getting connected at a time when organizations are already struggling to keep up with what they already have,” Krull said. “It’s a recipe for more breaches.”